PUTRAJAYA, Dec 30 — The Communications and Digital Ministry (KKD) is taking the alleged breach involving the personal data of 13 million Malaysians on a website seriously and has ordered that access to the website be blocked.
Communications and Digital Minister Fahmi Fadzil said the ban notice was submitted to the Malaysian Communications and Multimedia Commission (MCMC) to stop the public from accessing the website.
He added that the ministry, through the Personal Data Protection Department and Cybersecurity Malaysia (CSM) were obtaining feedback from Maybank and Astro to verify the alleged leaked data.
In a statement today, he said preliminary investigations into the Maybank account numbers displayed on the website that went viral revealed that the accounts were invalid or did not exist as transactions could not be made.
“There is also the potential that the alleged leaked data refers to the leak that occurred in 2018.
“However, official confirmation from relevant parties is needed for detailed investigations under the Personal Data Protection Act 2010 (Act 709),” he said.
Fahmi had earlier instructed the Personal Data Protection Department and CSM to investigate allegations that a website had listed personal data of 3.5 million Astro subscribers, 1.8 million Maybank accounts and 7.2 million users compiled by the Election Commission on Sunday at around 7.56 pm.
The alleged leaked information involved usernames, full names, date of birth, addresses and identity card numbers.
Fahmi said investigations into the alleged EC data breach would be left to the National Cyber Security Agency (NACSA) for further action as it was outside the purview of Act 709.
Act 709 stipulates that every personal data company must comply with the seven Personal Data Protection Principles in managing customer’s personal data to ensure that it is not misused.
Failure to comply is an offence punishable by fines of not more than RM300,000 or two years jail or both if found guilty.
Fahmi also reminded personal data users to ensure their cybersecurity was at a good level tand to comply with the principles and standards of personal data protection as outlined in Act 709.